One of the key facts regarding Access Control Lists (ACLs) that we drill into your head during CCNA is the fact that the lists you create end with what is called the "implicit" deny all. You do not see it, but the effect is undeniable. Any packets that do not match any of the permit statements in your list get deny treatment. In the case of our filtering access lists, this means the packets are dropped. As you recall from the course, this is why we desperately require at least one permit entry in all of our filtering access control lists.

But what if we want to track what we actually drop as a result of this powerful implicit deny all effect? Well, a clever trick is to end the list with an explicit deny statement and log the result. In this post, we will examine this technique.

Now I will apply this ACL inbound to a router interface and generate some traffic that matches this statement. When we run the command show access-lists, we can see from the "hit counter" that the permit has caught some matches. But what about packets that have failed?

In order to be alerted about packets that hit the implicit deny all, we need to create an explicit one. If we are really concerned about packets that do not match any permits, we can add the log option so we can be alerted at the command line, in addition to being notified when we do the show access-list command.

One question I often get from students at this point is: why did we only get one notification (of one packet) via the command line system message, but there were in fact 5 packets that were blocked (as depicted in the show command output)?

The answer is that the IOS is being smart here and it will batch up the log messages so that the system is not overwhelmed in trying to show us all of these matches in real time.